BRATISLAVA – June 17, 2019 – ESET researchers have discovered fake cryptocurrency apps using a previously unseen technique to bypass SMS-based two-factor authentication (2FA), circumventing Google’s recent SMS permissions restrictions. Google restricted the use of SMS and Call Log permissions in Android apps in March 2019 to prevent intrusive apps from abusing them for various illicit purposes.
The apps, named “BTCTurk Pro Beta,” “BtcTurk Pro Beta” and “BTCTURK PRO” impersonate the Turkish cryptocurrency exchange BtcTurk and phish for login credentials to the service. Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these malicious apps take the one-time password (OTP) from notifications appearing on the compromised device’s display. Besides reading the 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions happening. All three apps were uploaded to Google Play in June 2019 and were quickly taken down following ESET’s notification.
After the fake BtcTurk apps are installed and launched, they request a permission named Notification access. The apps can then read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain. According to ESET’s analysis, the attackers behind these apps specifically target notifications from SMS and email apps.
“One of the positive effects of Google’s restrictions from March 2019 was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based 2FA mechanisms,” said Lukáš Štefanko, malware researcher, ESET. “However, with the discovery of these fake apps, we have now seen the first malware sidestepping this SMS permission restriction,” added Štefanko.
The Notification access permission was introduced in Android’s Jelly Bean 4.3 version, meaning almost all active Android devices are susceptible to this new technique. The fake BtcTurk apps require Android version 5.0 (KitKat) and higher to run; thus, they affect around 90% of Android devices.
As for the effectiveness in bypassing 2FA, this specific technique does have its limitations – attackers can only access the text that fits the notification’s text field, and thus, it is not guaranteed that the text will include the OTP. In SMS 2FA, the messages are generally short, and OTPs are likely to fit in the notification message. However, in email 2FA, message length and format are much more varied, potentially impacting accessible data.
For more details, read the full piece by Lukáš Štefanko, “Malware sidesteps Google permissions policy with new 2FA bypass technique,” on WeLiveSecurity.com.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.